The relevance of risk management skills to cyber security
06:00 Wednesday, 21 July 2021
UK Cyber Security Council
When one recruits cyber security staff, the tendency is to look for people with cyber security skills. This makes perfect sense, of course, because security is a complex subject that covers a wide variety of concepts from highly technical encryption and architecture to softer skills such as training and reporting.
There is a tendency, however, for security specialists to be single-minded and unwavering – dictatorial, even – with regard to how they want the organisation to run its security regime. And on the surface, there is a great deal of logic in wishing to implement best practice in one’s approach to security – to insist on complex passwords, multi-factor authentication, the principle of least privilege, highly encrypted storage, paired firewalls, segregation of duties, etc.
Security can, however, be as inconvenient to the users as it is protective to the organisation’s data. The old cliché continues to apply: if you want to make a system secure, turn it off and bury it in a deep hole. And as we know, the answer is compromise: we need to make systems secure enough but still sufficiently usable – not least because if something is near-impossible to use correctly, users will find an easier and less secure way to do their work.
How, though, do we define “secure enough”? The answer is that we need a benchmark to measure against, and that benchmark is the organisation’s risk appetite.
Despite claims to the contrary, cyber security is just an instance of business risk management. It should sit in the organisational risk register alongside environmental, physical, economic, political, social and legal risks. Companies that treat cyber risk separately from other risks are most likely operating sub-optimally, because you measure cyber risk in precisely the same way as you would other risks. The management of the organisation should already have a documented risk appetite, which can be extended to cover cyber risks. You therefore carry out a risk assessment, quantifying (as far as you can) the likelihood of a risk manifesting and the impact if it does, and marry it up to the risk appetite. If the “score” of the risk is too high, you do something about it – implement some mitigating technology, insure against it, perhaps decide to live with it for a few months until you can take action because there are higher-scoring risks that need to take priority. What you don’t do is implement a huge programme of remediation that minimises every identified risk – partly because you can’t, but partly because your mission is to bring risks within the organisation’s appetite.
So if, when recruiting, one comes across a cyber security specialist who also has qualifications and experience in business risk management, one should look very carefully at the CV – because they may well be a better choice than a pure cyber person.